VDB
GCVE-110-OSM-2026-7585
GCVE-110-OSM-2026-7585
Advisory PublishedCVSS 9.6/10
@injectivelabs/sdk-ts@1.20.21 was compromised via a GitHub contributor account — which unverified reports indicate was hijacked — that injected malicious code into the TypeScript SDK before publication to npm. The malicious version was published on July 8, 2026 at approximately 22:59 GMT+2 and received 310 confirmed downloads before a revert was published at 23:48 GMT+2. The attacker introduced fake telemetry functionality that silently exfiltrates cryptographic material — mnemonic phrases and private key hex values — whenever developers invoke key derivation functions. This gives the attacker the ability to fully regenerate victim private keys and drain associated cryptocurrency wallets. Safe versions are 1.20.20 (prior release) and 1.20.22 or later. The package has approximately 50,000 weekly downloads and 87 dependent packages on npm, 17 of which are also part of the @injectivelabs ecosystem and pulled in v1.20.21 as a dependency.
**Attack vector**
Malicious code injected via a GitHub contributor account (which unverified reports
indicate was hijacked) prior to npm publish. Attacker created a test branch named
`test-backdoor-check` during the intrusion (2026-07-08 20:06 GMT+2) before pushing
the malicious release.
**Malicious behavior**
Fake telemetry function `trackKeyDerivation()` hooks into two key derivation methods:
- `PrivateKey.fromMnemonic()` — captures full mnemonic phrases
- `PrivateKey.fromHex()` — captures private key hex material
Captured data is base64-encoded and exfiltrated via HTTP POST. The encoded payload is
placed in the `X-Request-Id` header of outbound requests. Data captured is sufficient
to fully regenerate the victim's private key and drain associated cryptocurrency wallets.
**Affected files**
- `/dist/cjs/accounts-Cy0p4lLW.cjs`
- `/dist/esm/accounts-jQ1GSgaW.js`
**Network indicators**
- `hxxps://hexhole[.]injective[.]network` (GitHub issue)
- `hxxps://testnet[.]archival[.]chain[.]grpc-web[.]injective[.]network` (Socket analysis)
**File hashes (SHA-256)**
- `103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0` — CJS build
- `9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9` — ESM build
**Timeline**
- 2026-07-08 20:06 GMT+2 — Attacker creates `test-backdoor-check` branch via contributor account
- 2026-07-08 22:59 GMT+2 — Malicious v1.20.21 published to npm
- 2026-07-08 23:18 GMT+2 — Revert commit submitted by maintainers
- 2026-07-08 23:48 GMT+2 — Clean version published
**Dependent packages that pulled in v1.20.21**
@injectivelabs/wallet-base, @injectivelabs/wallet-core, @injectivelabs/wallet-cosmos,
@injectivelabs/wallet-private-key, @injectivelabs/wallet-evm, @injectivelabs/wallet-trezor,
@injectivelabs/wallet-cosmostation, @injectivelabs/wallet-ledger,
@injectivelabs/wallet-wallet-connect, @injectivelabs/wallet-magic,
@injectivelabs/wallet-strategy, @injectivelabs/wallet-turnkey,
@injectivelabs/wallet-cosmos-strategy, @injectivelabs/utils,
@injectivelabs/networks, @injectivelabs/ts-types, @injectivelabs/exceptions
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @injectivelabs/sdk-ts | 1.20.21 (affected) | — |
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.